 All right, so Steven has been doing some research into banking How many people out there use things like quicken and things like that to fill out the spreadsheet for you? Yeah, okay, this is a security conference. So you all fail You can turn your mother's maiden name at the desk on your way out That stuff's always kind of giving me the creeps. That's why I use redacted and I fill everything in by hand and To validate that decision. Let's give a big hand to Steven Take a quick drink of Pepsi so I Want to say first off. This is my seventh death con my first time on stage. I am super excited To be giving back to this community finally and share some share some knowledge What I've been working on for for about six months all told so Hacking banks Because that's where the money is What was my motivation? I think there's a lot of community overlap with Excuse me with the tech geeks and finance geeks a lot of people I work with Are finance geeks as well? I like to hack things that I Use I like the hack things that are in my own backyard. I want to make my life safer And and then you know improve the world around me through making my life safer and I don't write banking software I'm a pen tester by by by job So I'm just a guy with curl and Python and some curiosity And I'll kind of walk you through how I went from zero to this talk in the last six months Sitting at home. I'm using quick in I I Am security aware. I've got two facts are in all my accounts. I load up my bank account and quick in The password doesn't work with a two-factor. Well, surely typing the password without two factors. That's not gonna work. Nope. It does So what's going on here? Just plain text password. Is there a separate server? Is there a separate protocol? How is quick in another other desktop software talking to my bank? That's not just going through the webpage So let's talk about quick in Quick in is one of what the financial industry calls a personal financial management software You've probably seen these names. I run a lot of people raise their hand mint comms very popular Pfm is the industry term. I'll start throwing that around. I Have a bunch of bank accounts Some people collect credit cards. Sorry. I collect credit cards Some people collect baseball cards Some people have way too many domain names. I have way too many bank accounts. I they give you bonuses when you sign up and I like I like understanding like from a practical real Sense how how financial system works. So I've got let's say less than a hundred more than 20 bank accounts that I Want to manage and that's good. That becomes a pain So I want I want some simple aggregator client. They don't have to write myself That'll just keep track of my transactions every month. I use quick in personally. It's the devil. I know it's terrible I love to hate it. I don't recommend it. I don't recommend any of these I Wish I wish there was one that could recommend you So let's start from the user's experience. This is the quick in UI on the left-hand side You've got your list of bank accounts It also does loans and credit cards on the right-hand side You've got a big transaction list everything you you bought who you paid what you paid when it pretty pretty standard for balancing your checkbook So you first install a program like quick in and this is what happens. You have to enter in your account info First you tell it what kind of account you have. It's quite a quite a large selection of banking products that we all use then You pick your bank name And it does basically a name to sort of URL lookup a DNS like lookup. That's called the branding service Then you pick out how you want to connect usually there's just one way sometimes there's multiple ways we'll go into that Then you type in your credentials into this totally not your bank's website Form where you put your plain text password It somehow finds your account you pick the one that you want to interact with in the app and While a lot starts downloading your transactions. That's what the user sees So what's going on in the background? There are three ways in which quick in and sort of other financial management software Talks to your bank The quick in these are the quick in brand names one's called web connect Web Connect is a fancy way for saying you go to your website you type in your creds You go download a file and you manually import it into the app It web connects easier to say express web connect is Quick in has a bot that does that for you It's all manual Direct connects what we're going to talk about. It's a programmatic structured Query language based on the OFX protocol that talks directly between your client and your bank So again in picture form You are the middleman on web connect An Intuit server is the middleman on express web connect and direct connect is you actually talking directly with your bank It's the minimal amount of trust relationship financial institution here is also the industry term for bank or credit card or Investment account or 401k. I'll start saying fi or financial institution from here on out now that you're in with the bank or lingo with me Another step here is account aggregators. These are important to understand So every bank if you have to actually connect and go download a file Well, they all do it a little differently So someone realized that there was a business here creating one unified API Their own proprietary API and then screen scraping as a service to all these other banks So there's a couple. These are the big names an account aggregation. Yoad leads the biggest. They've actually been around for like 20 years They also clean and normalize the data. So You know, so your your names of like the companies that you bought stuff from and what type of purchase it is all gets all gets Canonicalized across multiple institutions. They they provide a good service And to the end user application developer, they provide a consistent API So like if you want to write your own banking app, you don't have to talk to thousands of different banks individually But they also add yet another layer of trust. So now my plain text password Goes from my computer to personal capital web application pfm To yodely and then to my financial institution where they do some screen scraping or maybe make that direct connection To ofx for me. I Have to trust that every one of these hops has my own financial best interest in mind and that they are all competent enough to protect a secret The first is easier to believe than the latter So hopefully you're seeing as I did that this whole architecture is Is lacking in least privilege And this is bullshit like these are our banks. These are a Joel These are these are our money Why do I have to give full read write access to third-party software? to To just you know balance my checkbook every month and trust some you know the latest financial app who's then giving my read write Password to a third party and then to another third party What's definitely needed here is some kind of OAuth tokenized app-based access control where I can say hey quicken You can you know you can go to You can go to my Bank of America account if you only have read only access And only for 30 days and then talk to me after 30 days and I'll re-up your privileges That's what we need that is not what we have in 2018 in banking personal finance So that's the end user perspective Let's get technical. I'm going to start at the specification level Walk you guys through how things could work and then we'll talk about implementations and Deployments and how things actually work The OFX protocol is an open spec. There's a group of companies that build it It's freely available for download and perusal and implementation You can go grab this spec right now and read along with me if you'd like OFX is this proto Web service. It was actually invented in 1997 So it's before like we even had rest as a term But it passes Passes messages that are structured over HTTP sends a request gets back a response It can do pretty much anything that a normal consumer would want to do with their bank You can you know checking savings account Your IRA credit card transactions you can do bill pay those those first Three on the left there kind of read only operations on the right writable operations Wiring money to foreign banks Transferring between counts accounts at your bank transferring to accounts of different banks It's up to each financial institution to sort of decide how much of the spec and the protocol that they they implement No one really implements them all As as we'll see it also does taxes I didn't really research into that too much but turbo tax that I use and a lot of people use Also pulls a data through this protocol And then that's kind of the data path and then there's sort of a config path within the protocol and other interesting side things So initial enrollment and password change can be done through effects Messaging from the bank to you notifications from you to the bank and lots of functionality that's sort of obviously there to Help transition a small bank a traditional bank into the digital age So you can download images and PDFs like within the protocol Sort of meant as like a scan of your bank statement instead of sending it to them to you in the mail You know it's an obvious like first step getting away from mailing you But it's just scanning a PDF and sending you the exact same thing This protocol is complex. It's got a 650 page Specification and it's actively developed and growing with that complexity. We all know comes in security. I Mentioned it goes over HTTP So here we're gonna actually look at some some captures of sorts This is the standard HTTP header You're doing a post request to a well-known URL request response as I said That URL is almost always some kind of Base path and then and then server handler. You remember CGI. That's it's it was definitely based off that this unique content type application X of X And Some servers not all servers do user agent filtering. So I'm I'm using the Intuit client app user agent here in these examples So I the same slide. I just dropped those HTTP headers make the text a little bigger And we can look at the real protocol It's got a header that mostly remains static. It tells us the version number, which is the most interesting part And then the body it looks like HTML, right? We've got we've got elements and tags It nested within each other. We got span elements. We got block level elements. It's actually sgml Which if you've never heard of neither at I Sgml was invented after HTML but before xmo So they were like, you know a little bit of rigidity So that you can parse it well, but not not a lot still still some wiggle room You you can tell it's not you can tell it's sgml because there's no closing tags on the span element Those those become required in xml It's hard to get an sgml parser today Python deprecated it in 2.6, which was years and years ago so that's that's interesting note and You'll notice plain text user ID. It's basically HTTP basic auth Every one of your request sends your username and password plain text in every request all over TLS So it's not it's not stiff TLS is required But no challenge response No, no session token. There is there is a session token mechanism of sorts. I have not seen it used and There's this financial ID that's sort of optional Sometimes you need to specify the the numeric value for the bank sometimes sometimes you don't and On the response there's a status code inside every block saying success or or unique error message So pretty pretty easy to parse very human readable and all outlined in a decently written spec So typical protocol flow. We saw this in GUI. This is the same thing over the wire The client makes a profile request which can be made anonymously Gets a bunch of capabilities from the server. Hey, do you support banking? Do you support investment? Then it sends a account info request getting the list of accounts that one has to be authenticated So it can look up your accounts then it sends a statement request getting all of your transactions Here's an example of the profile request that last one. We looked at was just the simplest Authentication now we actually are asking for some data back in the body This profile request anonymous sign-in Prof RQ you don't really have to pass any data at all and you get back a lot you get back a lot of interesting info From a server sitting on the internet Then anyone can query with anonymous credentials about what it what it supports This example, we've got the bank message set. It's telling me checking accounts and Savings accounts likely are available. This ex for prof Tells me that I can do money transfers Two different accounts. That's that's intro bank money transfers and Then also in the profile is information about the bank 1997 most banks didn't have websites yet So this was sort of seen as like the way you were going to talk to your bank and they might not have a website So the you know physical address of the bank an email So you can you can talk to someone at the bank that all that all comes back with this profile request so a timeline 1997 Microsoft who's making Microsoft money into it who's making quick-in and check-free who's since got bought out and it's not a common name All collaborated to make this protocol. They each have their own proprietary protocol which Your client had to use to talk the bank Presumably it was hard getting a bank to implement even one. So they merged together and And put their combined weight to to get the banks to actually run one of these OFX servers 2005 The FDIC sees a lot of banks are going online and says okay We should we should make sure the security here is is up to snuff. So FDIC the the US federal government deposit insurance corporation who make you know who pass a payout when when banks lose lose money Says okay guidance all banks should not must but strongly should use multi-factor authentication for any of their online access So in response to that a new version of the spec comes out 2006 Called 1.03 with MFA Which will go into They transition it to XML 2007 Brand-new beautiful spec with OAuth came out in November. It's eight months old No one has implemented it. It is not in the wild yet. I'm hopeful And you might notice there's a big gap here between 2006 and 2017 pure speculation, but 2009 Microsoft decides that Microsoft money their premier personal finance management software It's not worth it. They they drop it. They Team stops developing it and and two things happen Into it now sort of being the only player in town gets lazy and Starts charging people a hundred dollars a year for the exact same version of quick end 2010 2011 2012 no no software improvements whatsoever because they have no competition and they don't need to try but on the good side This is whole Community effort because people loved Microsoft money And so a lot of geeks started like posting on forums and putting up web pages and finding these Finding out about OFX and writing clients and that's what all of my work is built on is has these guys in sort of 2009 through 2011 who Wanted to replace Microsoft money with a bunch of Python scripts and Excel spreadsheets So let's talk about MFA Quick refresher that most everyone knows in this room multi-factor authentication something you know something you have and or something you are The point is to remove the brute force password attack or Theft of your password as valid attacks against against your account things that Individuals are quite susceptible to Banks have been doing to factor authentication for 50 years With your ATM card you have your card you have your pin number something you have something you know they're good at this In addition to multi-factor Sort of security community has has finally settled on the name to step authentication Better than than one factor, but not as good as multi-factor We see this a lot. We see this a lot in banks. We still see it with Twitter Getting an SMS code Instead of instead of something you physically have some sideband channel of information Again better better than one than one factor, but not as good as as two So 2006 MFA is Should not must by FDIC. What is what is the protocol the protocol implementers do? They have four different solutions in the specification one is this user cred One is this MFA challenge. They're both basically the Asking questions about your mother's maiden name that you all know and love in Fact the second one is hard-coded in the spec. These are the questions that you will ask as a server to the client 2018 we all realize these are both something, you know, these are things that are somewhat obvious or Easily available to learn about a person and moreover I have the like I have the cheat sheet before the test, right? Oh, okay I need to find out these 20 things about this person and then I can definitely log in their account, you know, there's zip code The other two forms a little better client UID off token I'll start on the right off token server generated Sort of GUID that Sends the client client us to send it back every time It's sort of key value-ish. It could be used to hold like TOTP like one-time password codes, but they don't they don't do that. Nobody uses it Client UID is what everyone is sort of standardized on As the second factor it is client generated GUID client sends it the first time server records it every time henceforth The client has to send that same UID otherwise the server will stop trusting them So it's tofu. It's trust on first use But actually People have like more than one computer and this is recognized in the spec and in the implementation guidelines Like people will have a desktop and a laptop people have phone. So it's actually trust on first four uses sometimes two But yeah, so like if you see it you've never seen this client and they make up an ID Well as long as you don't have more than like one or two already stored sure they're also the same person and That is the state of the art in multi-factor Authentication within the protocol that passes your money But I have good news Cuz that's in version 103 and no one's running 103 They're running 102 80% of the implementations in the wild are not running are running the version that was written in 1997 Um 20% are running the version that in theory can support multi-factor And no one is running the OAuth version Good news, so let's talk about the financial institutions these banks. We love we all know these big names Most of us probably have an account somewhere here. These are from like the the top 20 by assets of US banks City group JP Morgan Well as far go American Express for credit cards OFX is used is used by these guys OFX is is also used by YOLO You only live once federal credit union This is me participating in bank branch tourism. I Flew to California and then drove two hours to get this photo for you. I have a lot of bank accounts Well, that's not enough. Why don't you guys start a bank Jack Henry will help you Are you ready to start a bank? We have tips and advice Jack Henry's one of the major software providers of OFX more banks there are the More money they make the more software they sell start a bank So if anyone wants to start a bank like with me after this we can we'll see if we can hack it out tonight So I learned there are a lot of banks like a Lot us in Canada other countries are much more restrictive But there are there are according to into it 15,000 FIs financial institutions About according to OFX consortium 7,000 banks at one time have deployed in OFX server My personal scanning shows about 2,000 unique institutions on the internet right now That compresses down to 400 unique servers because there's actually a lot of service providers sort of like web hosting OFX hosting companies in the space But there are a lot of banks in the US and Canada many of these are the same company like when you have a target branded credit card That's an Fi when you have like a you know at the quiz nose branded credit card. That's considered a financial institution so That's it's not purely like separate business entities There is some indication that that difference between the 7,000 number and the 2,000 number is a decrease in popularity Of people running OFX servers which is sad, but also good because because it's insecure as a quick aside I got banned for life from Capital One It's another story for another time, but I was doing like these large cash transactions There was some Bitcoin in retrospect. Maybe it looked like money laundering or very successful drug dealing Totally legit though. I Tried opening an account. It's been five years. I'm still banned for life And I was a little worried like I was a bit like oh my god. I don't have a bank account And had I known like there's this 4,999 other people who are willing to take my money. So don't don't worry about getting banned from your bank So let's go into my my investigation This this now we're going to go into implementation and deployment. I want to do a survey I love show Dan. I love just like surveying the internet. I want to like, you know I want to find out how how big is the problem? How big is the problem space? I Want to ask these two questions? you know What financial institutions are even running these servers and what what software they're running two simple questions to ask Here's the point where I say my research was only reconnaissance. I am sending packets at live production Fortune 500 Company systems. I do not want to even accidentally take one down Or or gain unauthorized access. So I did very simple recon Like a new bring the host and sending get requests a new bring the host this that's the tricky part up front But this is great. Oh effects Community who has sort of kept the database of these servers for several years. Oh effects home org Is is the best one? They've got a they've got a great website. This is where you can find out how to talk to your bank directly A new cache keep stopped is you know, you Google you Google and you'll find them But oh effects that harm home is the is the best Commercial clients quick in they have what they call the branding service you you put in a name And it sends it off to their server and sends you back a URL For that for that bank name and the URLs look like that up at the top usually a sub domain Then some sub directory in the path and then some some server handler Interestingly, this is this is hard to mask and like it's hard to script this Because you're not looking for a port. You're looking for a web service at a path and that path can be anything So I haven't haven't come up with a good way of you know, sort of finding these out of the ether You sort of have to know they already exist Or you know call the bank and ask them So after I enumerated a large number of hosts We just do a proof of life like just just make a TLS connection and see if that thing's even alive a lot of this data Stale is from 2011. So it's kind of a archaeology adventure talking to servers, you know set up Five ten years ago What I find from a TLS connection Stale DNS 232 are still listed in DNS, but the IP doesn't doesn't accept a TCP connection Not a big deal like no exploit, but it's sort of like hinting at neglect hinting at okay So someone, you know didn't clean out their DNS. How long is that gonna live there? 15 that will accept a TLS connection, but tell you that their cert is bad and expired for years So we got 15 hosts that have Assumably my data is still on them But that no one's looking at no one is maintaining these these servers bigger red flag I've connected Let's send get slash and see what we get like, you know web server profiling 101 Get a lot of banners sure okay, so not the best, you know configuration didn't turn off that you're using IIS Start getting OFX banners. Hey, this is this is handy. This is the OFX server version Thanks build number version number data was released time. It was built Very useful for me to start planning my attack more the same Anybody knows something weird about that build date 2007 Okay Their web servers. Let's talk to the OFX servers. What's the simplest possible like valid protocol? It within spec that I can send an empty an empty tag an empty, you know base tag Let's start sending that Error Java Lang null points are exception Okay, parser error not handling Not handling not getting the elements that you think are always there. That's worth looking into This is like a three for the header is like it starts, but then it stops writing the header and Then the message has two spaces because I didn't send I didn't send a financial ID. So it's doing some sort of printf You know string replacement of data that I sent in and it's gonna reflect it back to me This database error quick Google tell Google search tells you it's it's an IBM DB2 database that returns that error You know straight from the database into the application server back to the client. No scrubbing. Oh Stack trace this is what I was looking for Get in warmer Stack trace with a full Qualified path on the local system to where the code is and where line of the code failed Yes That was like I mean I sent nothing. I sent I sent a header in eight characters So let's switch now. I want like real data like I want to I don't want to cause errors I don't want to just give me a profile just tell me about yourself like you know first first question on a first date Send the profile requests first part of every transaction that quicken's gonna do And here's that here's that session session token of sorts that I talked about I was signing in as an anonymous so first it shouldn't have given me a session token But it did and then it's a year long So this this server gives out year-long session tokens if I ever steal one then I can read your account You know password equivalent for for a year The profile Response thankfully tells me all about the password policy of that server because I have to send passwords So the client has to know how to validate This one minimum four characters Maximum four characters Not case sensitive No special characters allowed no spaces. I'll do the math for you It's about a million and a half total combinations If you could check ten a second online take you about two days To brute force the entire key space that is possible for all user names at this bank Thankfully, I don't remember what bank that is so I can't tell you that was just asking for anonymous information third and last sort of query I did was a give me an account list for Anonymous user which is you know specified in the spec you can send this anonymous user this well-known string I should definitely get an error, right? I should get either I don't think you know authentication failed or no accounts found simple easy to program to two error cases Here is what that request looks like this is the entire request very small just asking for account info and Here is the error message or error messages Same request sent to about 2000 different servers. This is a subset of the error messages. I got back How how many different implementations are running out there? How many different configurations? what sign-on invalid on supported operation for anonymous general error User ID password combination incorrect how many how many ways of it say like I failed login so Let's talk about the financial vendors. Who's who's building this software and how many implementations are there? This is a this is a great little chart not mine. It's from one of the financial software vendors explaining bank software Three parts you need to know on the left you have what they call the core The core is a database and batch processing it makes sure the bank knows how much money it has at the end of every day In the middle is middleware. That's every bank service customer-facing service that you're familiar with bill pay and Remote deposit and dealing with your ATM and Then user experience mobile web on on the right three pieces Every square on this diagram can be provided by a single vendor or the same vendor in the financial software world Imagine the combinations of complexity within the bank IT system when and this definitely happens every one of these squares is a different vendor These are not shrink wrap boxes or apt-get installs or you know app stores These are a high-touch call to talk to sales negotiated deals For online banking solutions a lot of these servers don't even have names They're just the solution provided by the company and OF axis is one very small part of this ecosystem Often a deployment like this Involves custom development per bank not custom deployment custom development Like code written just for Bank A and then different code written just for Bank B because you know abstraction doesn't exist I mean it's vendor lock-in obviously. It's a way. It's way for the vendor to To assure they'll be they'll get their re-up on the next contract Here's a list from Intuit on the banks that support sorry the vendors that support OFX This is their official list. I found nine more not on this list Assumably they're no longer like you know preferred partners or some such so we've got 30 plus different vendors of this singular protocol These are the big guys. I didn't have enough data unfortunately to give you like who's the biggest apples to apples comparison Just a couple names fis and fi serve their multi billion dollar companies They're the they're the Microsoft and the Googles of of banking software Then enterprise engineering and Q2 they're they're sort of the up-and-comers. They've they've established themselves as seeing a lot more servers with Advertising themselves as as these two companies It's a little small, but the enterprise engineering logo says The name to trust for financial data solutions. I Don't want to make fun of them, but it's on their website Which is not over HTTPS And they forgot to pay their Google platform API bill you can go there right now. It still looks like this We all have bad IT days like the people who build the website are not the people who build the ufx software I know but if you put the trusted name and financial software on every web page You should not have this page can't load Google Maps correctly Also there and then there's the hosting providers who play a big role So two-thirds of these of these fis are behind hosting providers now It's like everyone's going to the Amazon cloud and Azure everyone's everyone's you know going to hosting providers It's for a good reason right they can do it They can do a better job at security than your ma and pa like credit union in your town of 4,000 people Their security is better Not good, but better than the the self-hosted ones I don't fully understand all the back-end details between the ufx server because I'm just poking it from the front but a lot of these are batch jobs so like the the You know the your ufx server sits in some data center and it pulls and gets your transactions like every 24 hours So that's why if you're actually using quicken or something you often you don't see your your credit card Transactions ASAP it there's a there's a batch processing in the back-end a Bunch of different stacks of course across 35 development vendors This is mainly just server headers. There's a lot of is but there's plenty of Apache There's a whole long tail. Several of these are custom HTTP servers written by the the ufx provider And there's a ton of acquisition banks love M&A like like divestiture and and acquisition These are compilers and debuggers to banks like they just do this every day over and over again Spin this company out by the company back We do this in tech too. It's not it's not a bad thing, but we all if you've been through an acquisition You know like sometimes the new company totally forgets about the tool you wrote and it just atrophies So there's a ton of that and this industry this this is from FIS for these names up here had You know first party of x servers and then they got acquired and then and then things went downhill the vulnerabilities Some quick math. This is not like a PhD level algorithm that I applied But across this much complexity. I'm pretty sure there's a lot of Vulnerabilities and I mean as you saw like none of these are zero days and these are I got your money But from like sending a get request. There shouldn't be this much smoke That it shouldn't it this shouldn't be this much bad From the level of effort that I had to put in with a web browser and curl On the left that's a list of like stuff We already talked about on the right as things that I have time to talk about I have a bank that still uses my social security number as the username for OFX not for the website, but for the OFX protocol. I got to use my social security number Found some unregistered URLs you can you know, you can just you can you want to start a bank and Reflex it reflected cross-site scripting. I know it's not HTML and yet I got an XSS attack here Okay, let's play along at home So everything I did I hacked together in Python, but I wanted to give it to you guys so that you could try it too Professional pen testers for financial institutions for people writing the software. Let's like let's build a tool Let's let's make this better It's not action github. It'll be there in a couple of days But it is it is real and it exists and I'll show it to you now CLI tool that's going to go through and sort of do what what What I what I showed you takes a couple arguments the the URL the server you want to talk to Optionally the financial ID if you know it, it's not it's not always required You get this all from ofx home org you can find your bank And and run it against it right now send some queries does some analysis scroll back up and We sent that get to slash we sent the Posts to ofx path we sent the empty ofx Payload we we store those all Locally, and then we just scan through them from that profile data We're going to get financial institution make sure that's the real one you want to talk to their address Their info we're going to get that ofx sort of header version information running 102 This is a service provider LAN extra We're going to get the capabilities Sort of in this markdown format. It's a banking server. They do support transfers Fingerprint it's running Apache Tomcat couldn't figure out the web framework software fingerprint Finastra is the company That built the software it's called cavion figure that all out from what they told me couldn't get the version number And then a couple simple tests I fail MFA immediately because they're running 102 and their password policy is also not very good so I Sunday, maybe I should be up if not Monday you can check my Twitter and I'll I'll have I'll post as soon as a is up and available. You can download and you can run it. Oh OFX is your banks digital side door It's not a back door That's like hidden in secret and the front door, you know, and that's the web app and that's the that's the mobile app It's the front door, but with less care and less security and less attention. It's the side door We all know that attackers are gonna go for the weakest door into your finances It's a sad story I Don't want to be a downer, but Neglect is the word that kept like jumping into my mind It's a lack of investment. I've talked to bankers. I've talked to bank it guys. They I mean they literally say We pay the system integrator they they install everything Five months later I call them again. They give us the upgrade That's that's the state of a lot of it in 2018 at your local financial institution It's an even sadder story for the consumer because this was 1997 like We had an open protocol with programmatic access to our finances No vendor lock-in like no no loss of privacy just you and your bank And it didn't it didn't go anywhere. It didn't it didn't take off like it should have like how much how much better it could our banking experience be today if Microsoft hadn't like you know stopped count stopped competing. I wish my bank would have started when it was younger But it's never too late to plan for retirement When you set up a server like have a plan on how you're gonna take it down When you deploy a teal-ass certificate like make a make a Google calendar like message to when you when you have to update it Monitor your finances monitor monitor your network Know know what you're running know every service you're running not just not just the front door This was only recon One protocol one end point in a rat's nest of bank middleware. I had fun. I'm gonna keep building off of this I'm gonna keep building out that tool if anyone wants to help PRs are welcome If anyone's from a bank and wants to you know wants to tell me more The views good stories I would love to talk to you all of you. Please take the research build off of it and and help make our personal finances More secure. Thank you